A vCenter Single Sign-On lockout policy specifies the conditions under which a user's vCenter Single Sign-On account is locked when the user attempts to log in with incorrect credentials. You can edit the lockout policy.

If a user logs in to vsphere.local multiple times with the wrong password, the user is locked out. The lockout policy allows you to specify the maximum number of failed login attempts and how much time can elapse between failures. The policy also specifies how much time must elapse before the account is automatically unlocked.
Note: The lockout policy applies only to user accounts, not to system accounts such as administrator@vsphere.local.


  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.
    Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.
  2. Browse to Administration > Single Sign-On > Configuration.
  3. Click the Policies tab and select Lockout Policy.
  4. Click Edit.
  5. Edit the parameters.
    Option Description
    Description Optional description of the lockout policy.
    Max number of failed login attempts Maximum number of failed login attempts that are allowed before the account is locked.
    Time interval between failures Time period in which failed login attempts must occur to trigger a lockout.
    Unlock time Amount of time that the account remains locked. If you enter 0, the administrator must unlock the account explicitly.
  6. Click OK.